GDPR: What You Need To Know

GDPR is a European privacy law that went into effect on May 25, 2018. It imposes new regulations that may affect many US business, and may have great implications from legal, process, technical, and security perspectives. In this post we will present our initial findings on how GDPR may impact you and your business.

General Data Protection Regulation (GDPR) is a law that addresses personal data protection and privacy for individuals within the European Union (EU) and the European Economic Area (EEA). GDPR aims to give individuals more control over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU/EEA. After four years of debate, GDPR was officially adopted in May 2016, and went into effect on May 25, 2018. It supersedes the Data Protection Directive of 1995.

GDPR defines new rules for collection, processing, storing, and using personal data. One of the most important elements of GDPR is that it applies to any organization collecting personal data of any person located in the EU/EEA, regardless of the organization location. This mean that your business doesn't need to have a physical presence in the EU/EEA, or have its servers in a EU/EEA location to be subject to GDPR.

You may be thinking: "We don't collect personal data, this doesn't concern us." But you need to think again. According to GDPR personal data is any piece of information that can be used directly or indirectly to identify an individual. This includes the IP addresses collected by Google Analytics running on your website, and the names and email addresses you collect from your website contact form.

Here is where things start to get complicated for US businesses. For companies that actively target EU/EEA customers there is no ambiguity, they need to comply with GDPR. But what about US businesses that aren't actively targeting EU/EEA customers? Should they comply with GDPR just because website visitors are located in EU/EEA? Most brick-and-mortar businesses probably have nothing to worry about. But if you are currently able (and willing) to take and fulfill orders from EU/EEA customers, for either products or services, or are planning to do so in the future, you may need to look into complying with GDPR.

GDPR defines two types of organizations, Controllers and Processors, that have to comply to different requirements. A Controller is an organization that determines the means and purpose of personal data collection, while a Processor is an organization that handles personal data on behalf of a Controller. In the case of your website's analytics, Google is the Processor and you are the Controller. Some of the requirements that GDPR impose on Controllers and Processors include naming a Data Protection Officer, disclosing privacy policies, and to ensure privacy protections are implemented in the organization systems and processes by design, and not as a mere afterthought.

Several new rights for individuals have been created as part of GDPR. These include the right for individuals to get free access to all the personal data held by an organization (Controller and all of its Processors), the right to make changes or corrections to such personal data, the right to download all your personal data (and the right to transfer it to another organization), the right to be forgotten (withdraw consent, and the removal of all personal data held by an organization), and the right to be promptly notified of any data breaches.

Another important aspect of GDPR is the new rules regarding consent. When an individual gives consent to collecting and processing personal data, it is in relation to a specific purpose. Organizations are not permitted to hide consent-related information in long, illegible terms and conditions that are full of legalese. Requests for consent must be presented in an easily accessible and intelligible form, using clean and plain language. Consent must be explicit, meaning that you should not use pre-checked boxes assuming the user is giving consent by default. Finally, consent must be granular, allowing users to give consent on specific purposes.

Failure to comply with GDPR may result in fines up to EUR20 million or 4% of annual global revenues (whichever is greater). The amount of the fine will depend on the seriousness of the infringement. It is not clear yet how aggressively will these penalties be imposed, or whether there will be any attempt to penalize US businesses that don't have a physical presence in the EU/EEA.

Key Points to Remember

Territorial Scope
Although GDPR is an EU/EEA law, it concerns organizations located outside of the EU/EEA that target customers located in the EU/EEA. Many US businesses may be affected by GDPR.

New Rights
GDPR introduced a number of new rights for individuals in regards to their personal data. This may have an impact on the way you collect, process, and store such data, as well as the new kinds of requests regarding personal data that you will need to support.

Consent
Individuals must give explicit consent on specific purposes. Consent cannot be assumed or accepted by default, and it cannot be hidden in layers or legalese. Consent can be revoked.

Penalties
Failure to comply with GDPR may result in very high fines up to EUR20 million or 4% of annual global revenues (whichever is greater).

GDPR Compliance Checklist

The following is a high-level compliance checklist. Its purpose is to give you a general sense of the actions and changes needed to comply with GDPR. Please consult with your legal and IT advisors for specific actions that need to be taken for your business to be in compliance with GDPR, if applicable.

Company Information

Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it

Your company has a list of places where it keeps personal information and the ways data flows between the storage locations

Your company has a publicly accessible privacy policy that outlines all processes related to personal data

Your privacy policy should include a lawful basis to explain why the company needs to process personal information

Management and Accountability

Your company has appointed a Data Protection Officer (DPO)

Create awareness among decision makers about GDPR guidelines

Make sure your technical security is up to date

If your business operates outside the EU/EEA, you have appointed a representative within the EU/EEA

You report data breaches involving personal data to the local authority and to the people (data subjects) involved

There is a contract in place with any data processors that you share data with

Your business understands when you must conduct a Data Protection Impact Assessment (DPIA) for high-risk processing of sensitive data

You should only transfer data outside of the EU/EEA to countries that offer an appropriate level of protection

You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to

New Rights

Your customers can easily request access to their personal information

Your customers can easily update their own personal information to keep it accurate

You automatically delete data that your business no longer has any use for

Your customers can easily request deletion of their personal data

Your customers can easily request that you stop processing their data

Your customers can easily request that their data be delivered to themselves or a 3rd party

Your customers can easily object to profiling or automated decision making that could impact them

Consent

Ask consent when you start processing a person's information

Your privacy policy should be written in clear and understandable terms

It should be as easy for your customers to withdraw consent as it was to give it in the first place

If you process children's personal data, verify their age and ask consent from their legal guardian

When you update your privacy policy, you inform existing customers

Temporary Workarounds

Given the technical challenges and the investment needed to comply with GDPR regulations, many US business have opted to block all web traffic from EU countries. News organizations like Los Angeles Times, and The Chicago Tribune are showing a message to visitors from the EU informing them that the site is not available in most European countries. The Washington Post has decided that instead of complying with all the requirements from GDPR, they are stopping all advertising and third-party ad tracking for visitors located in the EU/EEA, but with a 50% price increase for those users.

If you do not solicit business from the EU/EEA and would like to block EU/EEA traffic from reaching your site, please contact us.